All geek questions in one place

Membership / Authorization through the REST Service

I am exploring the creation of a WCF REST service for an existing asp.net application that will be consumed by various clients, including Windows Phone 7, Android, iPhone apps, etc.

Creating a simple WCF REST service and using it from the above platforms is not a problem and works very well. The fact that I'm struggling to bow my head is authorization.

The asp.net application uses the membership provider to provide authentication and authorization, and it’s convenient for me to use this API from the REST service.

How to protect my REST service so that the first call must be authenticated (pass username and password), and the next calls know who is "logged in". I assume that the authentication method will have to pass some kind of token, which will be used in subsequent calls identifying the caller. How secure is this since the entire site / service exceeds SSL?

Any suggestions are welcome.

+4
source share
3 answers

In general, the approach to tokens is best just to send a username + password (basic authentication) in each request. The problem is to implement it correctly: while Basic Authentication is very easy to implement, and in fact it is already implemented by most applications and web servers, the token is what you need to implement yourself - it must be encrypted, understand this so you need some key management, it also needs to have a certain expiration date, and maybe you need a revocation cancellation function.
In addition, this will make the client’s life more complicated: instead of simply attaching the main authentication header to each request, the client must first go to some authentication point, get a valid one, and then use the token in the requests. If the token expires, the client must again go to the authentication point.

So, if you have the time and knowledge, and your customers are smart, it is better to use the approach to tokens. Otherwise, basic authentication should be sufficient with SSL.

+2
source

A calmer authentication scheme is to use HTTP authentication, for example. Basic or digest. Since your service exceeds SSL, Basic should be sufficient. Authentication currents (login / password) are sent with each request, so the service may be inactive. Every client library that I know of can deal with basic authentication.

+4
source

I saw an example in the latest Windows Azure toolkit for WP7, which may be useful to you. He mainly uses the Membership Provider, registers in his personal account (the first time the application is launched), and then generates a ticket. He then encrypts this ticket and sends it back as TOKEN, which is then stored on the phone in isolated storage. Ticket completion is set to int.MaxValue so that the token remains good for a long period of time.

Now this token is transferred to web services in the authorization header, where it is decrypted, user identification is verified, and then the web service is called.

Hope this helps. I am trying to solve a similar scenario and trust me, there are not so many that point us in the right direction ... this is a rather sad state of affairs if you ask me.

0
source

Source: https://habr.com/ru/post/1344922/

More articles:


All Articles